[Owasp-testing] OWASP Testing Guide v4: start-up
rick.mitchell at bell.ca
rick.mitchell at bell.ca
Mon Jul 19 14:44:50 EDT 2010
I totally agree that all guides need to be compliant with each other. I kind of see Common Numbering as a way to accomplish this.
For example in the Dev guide I assume there's a section (or sections) that deal with strong input validation, via common numbering those sections should reference Testing topics such as SQL Injection, HPP, Buffer Overflow, etc. Similarly via common numbering those same sections in the Testing guide should reference whichever relevant section(s) of the Dev guide (strong input validation).
As I'm saying this I'm also looking at the ASVS content, which common numbering was supposed to be based on, and it seems to have changed since the common numbering idea was put forth. Is common numbering an impossible goal since all guides/projects move at a different pace and are acted upon by different groups? Should Common Numbering be established and set in stone for particular versions of the guides? i.e.: TGv3, ASVSv2009 [couldn't find current version info, docs seem to be tagged 2009], Code Review Guide v1.1, Dev Guide 2.0.1 or actually the upcoming versions should all use v1 of the Common Numbering scheme? Then if new things need to be added to subsequent versions of the guides/projects the common numbering scheme should be incremented and enhanced with new categories/items as well (prior to work on the other guides/project)...
As for O2, I agree that a separate reference or user guide could/should be developed and referenced as needed. At the same time as things currently are the TG provides testing examples using various tools (of the author's choice, at the time of writing), there is no reason that anyone should be prevented from using O2 as part of their example(s). Authors are telling people that they "must" use tool XYZ to test item ABC, it's only an example/suggestion.
From: Eoin [mailto:eoinkeary at gmail.com]
Sent: July 19, 2010 2:11 PM
To: Mitchell, Rick (6030318)
Cc: anurag.agarwal at yahoo.com; vishalgrg at gmail.com; owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] OWASP Testing Guide v4: start-up
All guides need to compliant each other, cover off the same issues, one might say?
Common numbering is fine but we need to cross reference development and review guides.
O2 is a static analysis tool so why the testing guide? The user guide for that tool needs to be developed stand alone which can then also referenced.
(on a boat off the west coast I'd Ireland, sorry for the berevity)
On 19 Jul 2010 18:55, <rick.mitchell at bell.ca<mailto:rick.mitchell at bell.ca>> wrote:
If v4 fully adopts Common OWASP Numbering, won't all the guides be aligned? (Unless we purposefully ...
From: owasp-testing-bounces at lists.owasp.org<mailto:owasp-testing-bounces at lists.owasp.org> [mailto:owasp-testing-bounces at lists.owasp.org<mailto:owasp-testing-bounces at lists.owasp.org>] On Behalf Of Eoin
Sent: July 18, 2010 5:22 PM
To: Vishal Garg
Cc: Anurag Agarwal; Owasp leaders; owasp-testing
Subject: Re: [Owasp-testing] OWASP Testing Guide v...
that is something that has always been on my mind.
Converging guides and methodology is the ...
Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing